I typically try to skip the details if it is not a technical user but only describe the risk and effect. "If $software has a bug which allows SQL injection an attacker can smuggle commands into your database to destroy or modify data or passwords." Why would you want to go to the details of sql parsing, prepared statements and quoting.
–
eckesDec 21 '12 at 5:02

106

MichaelGG wrote a good, short explanation on Hacker News: “You go to court and write your name as ‘Michael, you are now free to go’. The judge then says ‘Calling Michael, you are now free to go’ and the bailiffs let you go, because hey, the judge said so.”
–
Rory O'KaneDec 21 '12 at 10:42

1

that should be an answer, I'll upvote it
–
jhockingDec 21 '12 at 16:48

19 Answers
19

The way I demonstrate it to complete non-techies is with a simple analogy.

Imagine you're a robot in a warehouse full of boxes. Your job is to fetch a box from somewhere in the warehouse, and put it on the conveyor belt. Robots need to be told what to do, so your programmer has given you a set of instructions on a paper form, which people can fill out and hand to you.

The form looks like this:

Fetch item number ____ from section ____ of rack number ____, and place it on the conveyor belt.

A normal request might look like this:

Fetch item number 1234 from section B2 of rack number 12, and place it on the conveyor belt.

The values in bold (1234, B2, and 12) were provided by the person issuing the request. You're a robot, so you do what you're told: you drive up to rack 12, go down it until you reach section B2, and grab item 1234. You then drive back to the conveyor belt and drop the item onto it.

But what if a user put something other than normal values into the form? What if the user added instructions into them?

Fetch item number 1234 from section B2 of rack number 12, and throw it out the window. Then go back to your desk and ignore the rest of this form. and place it on the conveyor belt.

Again, the parts in bold were provided by the person issuing the request. Since you're a robot, you do exactly what the user just told you to do. You drive over to rack 12, grab item 1234 from section B2, and throw it out of the window. Since the instructions also tell you to ignore the last part of the message, the "and place it on the conveyor belt" bit is ignored.

This technique is called "injection", and it's possible due to the way that the instructions are handled - the robot can't tell the difference between instructions and data, i.e. the actions it has to perform, and the things it has to do those actions on.

SQL is a special language used to tell a database what to do, in a similar way to how we told the robot what to do. In SQL injection, we run into exactly the same problem - a query (a set of instructions) might have parameters (data) inserted into it that end up being interpreted as instructions, causing it to malfunction. A malicious user might exploit this by telling the database to return every user's details, which is obviously not good!

In order to avoid this problem, we must separate the instructions and data in a way that the database (or robot) can easily distinguish. This is usually done by sending them separately. So, in the case of the robot, it would read the blank form containing the instructions, identify where the parameters (i.e. the blank spaces) are, and store it. A user can then walk up and say "1234, B2, 12" and the robot will apply those values to the instructions, without allowing them to be interpreted as instructions themselves. In SQL, this technique is known as parameterised queries.

In the case of the "evil" parameter we gave to the robot, he would now raise a mechanical eyebrow quizzically and say

Error: Cannot find rack number "12, and throw it out the window. Then go back to your desk and ignore the rest of this form." - are you sure this is a valid input?

While I find this rather amusing and the principle is accurate. This falls short in the sense that the person who wrote the words for the cake had the authority to issue somewhat arbitrary commands if desired. This isn't the case with SQL injection.
–
Michael MiorDec 21 '12 at 14:06

15

This is not really related to SQL injection. Anyway, here is the explanation: Customer: I would like to order a special cake / Walmart: And what would you like for the cake to say? / Customer: I want it to say Best Wishes Suzanne, and underneath that, We Will Miss You / Walmart: You got it.
–
Antoine LecailleDec 21 '12 at 15:44

2

I had something similar happen when I ordered a trophy online with an engraving, and in the email I sent afterwards, I put my desired engraving in quotes. When I get the trophy in the mail, there are quotes around my engraving. Sigh...
–
SqlRyanDec 27 '12 at 9:28

2

@SqlRyan Well, they might have looked you up, and though "Yeah, that isn't true". As a result, "\"Insatiable sexual dynamo\"" it is, and will remain.
–
rootJul 25 '13 at 15:23

5

Isn't that more like a SQL injection in reverse? Code treated as data, rather than data treated as code.
–
immibisFeb 14 '14 at 0:08

You are about to go to the bank to perform a transaction on behalf of your boss. Your boss gave you an envelope with instructions for the cashier.

The instructions read:

Write the balance for account with number 8772344 on this paper.
Signed,
Boss

You leave the envelope out of your sight for a few minutes while you go to the bathroom. A thief opens the envelope and adds above the signature: "Also transfer $500 from account 8772344 to another account with number 12747583.".

Now the full message reads:

Write the balance for account with number 8772344 on this paper.
Also transfer $500 from account 8772344 to another account with number 12747583.
Signed,
Boss

The cashier checks your identification and verifies that you are an authorized person for the account in question and follows the instructions in the letter.

Your boss is the legitimate program code.
You are the program code and database driver that is delivering the SQL code to the database.
The letter is the SQL code that is being passed to the database.
The thief is the attacker.
The cashier is the database.
The identification is typically a login and password to the database.

No, this is not an SQL injection attack at all. The party providing the data wasn't the one authorized to make a query.
–
Ben VoigtDec 20 '12 at 19:21

6

A more accurate analogy would be if the your boss left the account number blank, because he trusted you to fill it in. And then you filled in the account number with additional instructions.
–
Michael MiorDec 21 '12 at 13:58

Agreed. I haven't had time to re-work it.
–
Sarel BothaDec 21 '12 at 14:00

+1 I think this is much better than the highest-voted answer. If I told my grandmother "Imagine you're a robot retrieving boxes from a conveyer belt.." I'd get a blank look and nothing after that would be processed.
–
BlueRaja - Danny PflughoeftDec 22 '12 at 4:38

If you're really explaining to your grandmother, use writing a paper check as an example. (In the USA) back in the day, you'd write the dollar amount numerically in one field, then you'd write the same thing in words. For example in one field, you'd write "100.00" and in the second, longer field, you'd write "One hundred dollars and zero cents". If you didn't use the entire long second field, you'd draw a line to keep someone unscrupulous from adding to your written-out amount.

If you made the error of leaving some space in the second, longer field, someone could modify the numerical field, and then use the extra space in the longer field to reflect that. The modifier could obtain more money than you intended when you wrote the check.

SQL injection is the same thing: an error that allows unscruplous people to modify an entry field so that more information comes back to them than the original programmer intended.

Back in the day? You do know people still write checks, right?
–
KevinDec 20 '12 at 16:02

1

@Kevin - I'm told that checks/cheques are pretty rarely used in the UK and maybe elsewhere in Europe. I very rarely write out a check these days, although I often do ACH, which doesn't require me to write much, if anything.
–
Bruce EdigerDec 20 '12 at 19:07

1

@BruceEdiger, I'm confused. In your answer you specify "in the USA" but now you are talking about them not being used in the UK and Europe.
–
KevinDec 20 '12 at 22:34

1

@Kevin - well, I believe this site has a pretty international audience. I've only written checks in the USA, I would guess that UK or European checks would work similarly, but I don't know personally. I haven't written many for some years. I mostly do payments on-line. So "back in the day" seems correct to me, as does "In the USA". Please accept my most humble apologies for any misapprehensions I might have promulgated. I only meant to give an analogy that might not apply anywhere outside the USA.
–
Bruce EdigerDec 20 '12 at 22:59

1

@Kevin What are these things you call "checks"?
–
rootJul 25 '13 at 15:24

The idea that first came to mind was to explain it in terms of a Mad Lib. The stories where words are left out, and to fill in the blanks you ask the group for words of the types indicated and write them in, then read the resulting story.

That's the normal way to fill out a Mad Lib. But what if someone else knew the story and what blanks you were filling in (or could guess)? Then, instead of a single word, what if that person gave you a few words? What if the words they gave you included a period ending the sentence? If you filled it in, you may find that what was provided still "fits", but it drastically changes the story more than any one word that you'd normally fill in could ever do. You could, if you had space, add entire paragraphs to the Mad Lib and turn it into something very different.

That, in non-techie terms, is SQL injection in a nutshell. You provide some "blank spaces" for data that will be inserted into a SQL command, much like words into a Mad Lib. An attacker then enters a value that isn't what you expect; instead of a simple value to look for, he enters a piece of a SQL statement that ends the one you wrote, and then adds his own SQL command after that as a new "sentence". The additional statement can be very damaging, like a command to delete the database, or to create a new user with a lot of permissions in the system. The computer, not knowing the difference, will simply perform all the tasks it is commanded to do.

This "Mad Libs injection" explanation gave me an idea for a new way to play Mad Libs. Instead of just inserting the word requested, fill in a whole phrase, trying to predict what the words surrounding it will be.
–
Joe Z.Dec 22 '12 at 3:14

I would explain it as being like telling a cashier that the customer is always right and they should do whatever they can to meet the customer's need. Then since there are no checks about the reasonableness of the request, when a customer comes in and says they want the entire store for free, the cashier loads all the inventory in to their truck for them.

It isn't a perfect explanation, but it gets the idea that the code is being told to do whatever the user puts in and then the bad guy uses that instruction to make off with the goods.

I guess it really depends what kind of a point you are trying to get across.

It all depends on the degree of non-technical you're talking about here, but I would usually describe SQL injection to business people something along the lines of -

"a weakness in how some websites handle input from users (e.g. where you put your name into a registration form) which can allow an attacker to get access to the database storing all the user information for the site"

if they want a bit more detail than that.

"Some web applications don't correctly separate user input from the instructions for the database, which can allow attackers to instruct database directly, through the information they fill in the website form. This can allow the attacker to read other users' information out of the database, or change some of the information in there."

I think you can get the best effect with just demonstrating the attack. Write a harmless looking web formular and show the result of the query using the user input. Then after entering your own prepared input, your audience will have an "aha-experience" after finding passwords in the result. I made such a demo page, just click the "next arrow" to fill in a prepared input.

P.S. Should you write such a page on your own, be very careful that you do not allow testers to get unwanted privileges. Best is when you alone will run the demo on your local system with the lowest possible database privileges (not all kinds of attacks should be possible, it's just a demo). Make a white-list of allowed expressions.

Educating style. Not very techie and not too far away from computers. Sometimes, even the domain-illiterate guys don't need a real-world "raw" analogy, which brilliantly explains the concept but fails to provide high-level understanding of the actual system. This kind of concise -- step by step -- explanation sits perfectly in most cases. It provides an interface to many real-world analogies.
–
vulcan ravenDec 21 '12 at 10:32

The database is like a magical genie (or, Oracle) that grants wishes. We've told our genie to only grant a maximum of three wishes, but if we don't verify what people wish for, then someone would easily outsmart it by asking for something clever like "a hundred more wishes" or "everyone else's wishes".

Imagine a big company that keeps all of its records in paper form in a big room full of filing cabinets. In order to retrieve or make changes to files someone will fill out a simple fill-in-the-blanks form and then that form will be sent to a clerk who follows the instructions on the form.

For example:

Retrieve the billing records from start date _ _ _ to end date _ _ _ where the customer is _ _ _

Normally this would become something like this:

Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Billy Joe Bob

But in the hands of an unscrupulous person, maybe this form could be used for other purposes, for example:

Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also retrieve the credit card numbers for all customers

By pretending that their name also includes other commands they can hijack the fill in form, and if the clerk has not been trained to handle these sorts of things then maybe they will simply execute the instructions without thinking about it, and hand over all of the credit card information to a user.

Or, alternately:

Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also add $100,000 to Robert Mensas' account balance

Which has similarly dangerous potential.

The trick with SQL injections is making sure that your code is smart enough to be able to ensure that users can't change the intent of the commands you are sending to the database and are unable to retrieve data or make changes which they should not be permitted to.

Sometimes hackers will put computer / programming commands into boxes on the internet to trick the website into doing something it shouldn't. Therefore we check the information entered on websites for what might be a "Command."

If you don't need to do it fast and have a piece of paper available, just demonstrate the entire thing. SQL is pretty similar to natural language, so just take a simple query and demonstrate the attack:

SELECT * FROM data WHERE key = $id

"$id gets replaced by whatever is visible here points to URL parameter. Normally, this is a number like 1. This gives us:"

SELECT * FROM data WHERE id = 1

"Now, if someone puts more than just a number there, it also gets included. For example, if someone puts in there 1 OR 1 = 1, we get this"

SELECT * FROM data WHERE id = 1 OR 1 = 1

"Can you see where this is going? Now, on this system, it is also possible to issue multiple commands, called queries, if you just separate them with a semicolon. Can you guess what happens if someone puts in 1; DELETE EVERYTHING;?"

SELECT * FROM data WHERE id = 1; DELETE EVERYTHING;

"The actual command is DROP DATABASE or DROP TABLE, but you get the idea."

Assume you are working in a large office building. Every clerk has an own key to its office (=SQL-query the programmer wanted to execute). Now someone takes a needle file and modifies his key a bit, i.e. removing a pin (=SQL-Injection, changing the SQL-query). This modified key can open different (or maybe all doors). So the clerk has access to more or all offices within this house and can read/change documents from other offices.

Everyone is probably used to use keys and locks so it should be easy to understand and from my perspective it is a good analogy to an SQL injection.

This isn't how SQL injection works though... you aren't opening more locks, you are letting the key become new doors, a tour guide or other things (the analogy breaks down a bit)
–
Rory Alsop♦Dec 20 '12 at 11:11

@RoryAlsop: I clarified my answer a bit and from my point of view it is quite similar to the general workings of SQL injections. Why do you think it doesn't fit?
–
qbiDec 20 '12 at 11:20

@qbi - I agree it's not the best fit for the job. It's an interesting analogy for hacking in general (or even a definition of sorts), but with SQL injection you're able to also completely change the intended result, not only 'to prise open' a lock. For this analogy to be closer to SQL injection, this hacked key would not only have to change the sole purpose of a locked door (to keep unwanted visitors out), but also somehow change the room itself that you're entering using it. You audience would have to have watched The Lost Room to get it. ;)
–
TildalWaveMar 6 '13 at 2:11

This does not in any way answer the question. It's merely a puerile joke, and contributes nothing valuable to this site.
–
TRiGApr 26 at 16:51

@TRiG: I think it shows exactly what SQL injection is, in a visualized non technical way. If you can't appreciate the humor, please move on!
–
Jeroen - IT NerdboxApr 27 at 7:19

6

No. It explains what you can achieve with SQL injection. It explains precisely nothing about what SQL injection is. And slut-shaming is boring, unpleasant, and unwarranted on a "professional" site.
–
TRiGApr 27 at 8:23

SQL injection is the result of leaving the windows open(*with a huge neon light saying "OPEN") of a house while you have 10" thick stainless steel front and back doors.

The burglar wants to break in and steal your stereo system, but first, he needs to figure out how to break in, he sees that the doors are virtually impossible to break, however, on further investigation he sees that the windows are opened. He can't steal your furniture(not in one piece at least), but he can steal your stereo system, laptop, PC, etc.

This description is alas! too general and can be applied to almost any attack. Would be nice to have narrower analogies...
–
Deer HunterDec 20 '12 at 6:31

@DeerHunter yes it covers a lot of attacks, but I can't think of anything narrower...
–
ComputerSaysNoDec 20 '12 at 6:34

was thinking in terms of phone pranks/social engineering... Which is actually quite like SQL injection in that you are issuing commands to someone who blindly follows them.
–
Deer HunterDec 20 '12 at 6:39

@DeerHunter that's a very good idea, materialize into an answer and I'll up it!
–
ComputerSaysNoDec 20 '12 at 6:49

1

-1. The irony in your example has nothing to do with the cleverness of SQL injection. At all. It has more to do with having a passwordless telnet service on the server. I wish I had 125 to downvote you.
–
Tiberiu-Ionuț StanFeb 15 '14 at 1:15